Re: Running Show running-config with least privilege

giridar · ‎11-07-2020

Hi All,

Create a privilege 7 user and added these permissions

privilege exec level 7 terminal length 0
privilege exec level 7 show running-config
privilege exec level 7 show startup-config

when running Show running-config there is not much output but getting the full output for show startup-config

how can i give get a full output for show running-config

thanks in advance

marce1000 · ‎11-08-2020

- Check if this document can help you :

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

giridar · ‎11-08-2020

thank you, really helped

but if I give configure terminal access to level 7, the user can modify the configurations

is there are way to give read only permission

balaji.bandi · ‎11-08-2020

I replied other thread, you ca try below :

Since you do not provide the device information or IOS - high level you can do as below

username bbandi privilege 5 secret 5 YYYYYYYYYYYYYYYYYYY

privilege exec level 5 show running-config view full
privilege exec level 5 show running-config view
privilege exec level 5 show running-config
privilege exec level 5 show

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

giridar · ‎11-08-2020

thank you, device is a switch and i have different models

i tried the commands but still it does not give the full output

SW01#show running-config
Building configuration...

Current configuration : 192 bytes
!
! Last configuration change at 05:20:54 UTC Mon Nov 9 2020 by admin
! NVRAM config last updated at 07:56:01 UTC Sun Oct 18 2020 by admin
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
end

balaji.bandi · ‎11-09-2020

you need to tell us what is that device and IOS so we can suggest better. - that is an example will help to understand the syntax

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

giridar · ‎11-09-2020

i have ws-c2960L-48ps-LL with c2960l-universalk9-mz.152-6.E

balaji.bandi · ‎11-09-2020

Try below : (still not working - post complete config to look)

privilege exec all level 5 show running-config

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

giridar · ‎11-09-2020

thank you, please find configurations, i have removed some due to security purposes

Using 7927 out of 524288 bytes
!
! Last configuration change at 07:55:54 UTC Sun Oct 18 2020 by admin
! NVRAM config last updated at 07:56:01 UTC Sun Oct 18 2020 by admin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW04
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
interface GigabitEthernet0/1
switchport access vlan 15
switchport mode access
spanning-tree portfast edge
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
description dtp VLAN
ip address
!
ip http server
ip http secure-server
ip ssh version 2
!
!
!
snmp-server community rww RO
snmp-server enable traps snmp authentication
snmp-server host rww snmp
no vstack
!
line con 0
line vty 0 4
login local
line vty 5 15
login
!
end

balaji.bandi · ‎11-09-2020

i do not see real config for the user config and other to verify - the one you provided do not have any clue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

giridar · ‎11-09-2020

could you provide me the command to get the configuration that you are looking for

balaji.bandi · ‎11-10-2020

show run (with out modifying it and you can remove any password) but i do not see any AAA or username.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

giridar · ‎11-10-2020

please find below
SW04#show running-config
Building configuration...

Current configuration : 9221 bytes
!
! Last configuration change at 07:55:54 UTC Sun Oct 18 2020 by admin
! NVRAM config last updated at 07:56:01 UTC Sun Oct 18 2020 by admin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW04
!
boot-start-marker
boot-end-marker
!
!
username xxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
no aaa new-model
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
interface GigabitEthernet0/1
switchport access vlan 15
switchport mode access
spanning-tree portfast edge
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
description Data VLAN
ip address xx.xx.xx.xx xxx.xxxx.xxxx.xx
!
ip http server
ip http secure-server
ip ssh version 2
!
!
!
snmp-server community yyyy RO
snmp-server enable traps snmp authentication
snmp-server host xx.xx.xx.xx yyyy snmp
no vstack
!
line con 0
line vty 0 4
login local
line vty 5 15
login
!
end

balaji.bandi · ‎11-10-2020

Sorry am i missing something here -- you do not have any config we suggested. your aaa also not configured.

as per my understanding of high level configuration you looking to user to have only show run to take backup is this correct. ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

giridar · ‎11-10-2020

sorry, i missed some while copying

I enabled the AAA with below commands and it worked, but I am worried i may loos access or permission

aaa new-model
aaa authentication login default local
aaa authorization exec default local

SW04#show running-config
Building configuration...

Current configuration : 9221 bytes
!
! Last configuration change at 07:55:54 UTC Sun Oct 18 2020 by admin
! NVRAM config last updated at 07:56:01 UTC Sun Oct 18 2020 by admin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW04
!
boot-start-marker
boot-end-marker
!

enable secret 4 uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
!
username xxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username tttttt privilege 7 secret 5 ttttttttttttttttttttttt
username wwwwwww privilege 5 secret 5 qqqqqqqqqqqqqqqqqqqqqqqqqqq
no aaa new-model
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
interface GigabitEthernet0/1
switchport access vlan 15
switchport mode access
spanning-tree portfast edge
!
interface Vlan1
no ip address
shutdown
!
interface Vlan15
description Data VLAN
ip address xx.xx.xx.xx xxx.xxxx.xxxx.xx
!
ip http server
ip http secure-server
ip ssh version 2
!
!
!
snmp-server community yyyy RO
snmp-server enable traps snmp authentication
snmp-server host xx.xx.xx.xx yyyy snmp
no vstack
privilege exec level 7 copy running-config
privilege exec level 7 copy
privilege exec level 7 crypto
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 terminal length
privilege exec level 7 terminal
privilege exec level 7 show crypto
privilege exec level 5 show startup-config
privilege exec level 5 show running-config view full
privilege exec level 5 show running-config view
privilege exec all level 7 show running-config
privilege exec level 7 show configuration
privilege exec level 7 show
!
line con 0
line vty 0 4
login local
line vty 5 15
login
!
end